Skillv1.0.0

ClawScan security

OPC Product Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 5:04 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, runtime instructions, and requirements are consistent with a solo-entrepreneur product-spec generator and do not request unrelated credentials, external downloads, or privileged system access.
Guidance: This skill appears coherent and limited to generating product specs. Things to consider before installing: (1) product_tracker.py reads/writes a ./products directory (it writes INDEX.json) — only run it if you trust its filesystem effects and don't have sensitive files in that path; (2) templates include placeholders for environment variables and external services (e.g., Supabase, Anthropic) but the skill does not automatically require or exfiltrate credentials — you only need to supply those when following the generated spec; (3) autonomous invocation is normal for skills on this platform, so ensure you are comfortable allowing the agent to call this skill during conversations. If you want extra assurance, inspect or run the bundle locally in a sandbox before giving it access to your project workspace.

Review Dimensions

Purpose & Capability: okName/description match the included SKILL.md, README, references, templates, and a small helper script. The artifacts are all aligned with generating build-ready product specs for solo founders.
Instruction Scope: okSKILL.md limits behavior to product intake, spec generation, scope checks, tech-stack guidance, and handoff templates. It instructs the model to read bundled reference files and templates (read_file of local references) and to produce structured output; it does not direct the agent to read arbitrary system files, environment variables, or to exfiltrate data. The MVI and escalation rules are explicit and scoped to the product-spec domain.
Install Mechanism: okNo install spec is present (instruction-only skill). There are no downloads, package installs, or external installers referenced. This is the lowest-risk install model.
Credentials: okThe skill declares no required environment variables, binaries, or credentials. Template placeholders and references mention common hosted services (Supabase, Vercel, Anthropic) only as recommendations; they are not requested or required by the skill itself.
Persistence & Privilege: okalways is false and autonomous invocation is the platform default. The skill does not request persistent system-wide privileges or modify other skills' configs. A helper script (product_tracker.py) performs local filesystem reads/writes when run, which is reasonable for an optional product indexer and is not enabled automatically by an install spec.